‼ CVE-2023-41944 ‼
📖 Read
via "National Vulnerability Database".
Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier does not escape the queue name parameter passed to a form validation URL, when rendering an error message, resulting in an HTML injection vulnerability.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-27526 ‼
📖 Read
via "National Vulnerability Database".
A non Admin authenticated user could incorrectly create resources using the import charts feature, on Apache Superset up to and including 2.1.0. 📖 Read
via "National Vulnerability Database".
‼ CVE-2023-41932 ‼
📖 Read
via "National Vulnerability Database".
Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not restrict 'timestamp' query parameters in multiple endpoints, allowing attackers with to delete attacker-specified directories on the Jenkins controller file system as long as they contain a file called 'history.xml'.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-41937 ‼
📖 Read
via "National Vulnerability Database".
Jenkins Bitbucket Push and Pull Request Plugin 2.4.0 through 2.8.3 (both inclusive) trusts values provided in the webhook payload, including certain URLs, and uses configured Bitbucket credentials to connect to those URLs, allowing attackers to capture Bitbucket credentials stored in Jenkins by sending a crafted webhook payload.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-36388 ‼
📖 Read
via "National Vulnerability Database".
Improper REST API permission in Apache Superset up to and including 2.1.0 allows for an authenticated Gamma users to test network connections, possible SSRF.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-4589 ‼
📖 Read
via "National Vulnerability Database".
Insufficient verification of data authenticity vulnerability in Delinea Secret Server, in its v10.9.000002 version. An attacker with an administrator account could perform software updates without proper integrity verification mechanisms. In this scenario, the update process lacks digital signatures and fails to validate the integrity of the update package, allowing the attacker to inject malicious applications during the update.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-41933 ‼
📖 Read
via "National Vulnerability Database".
Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-41931 ‼
📖 Read
via "National Vulnerability Database".
Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not property sanitize or escape the timestamp value from history entries when rendering a history entry on the history view, resulting in a stored cross-site scripting (XSS) vulnerability.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-39264 ‼
📖 Read
via "National Vulnerability Database".
By default, stack traces for errors were enabled, which resulted in the exposure of internal traces on REST API endpoints to users. This vulnerability exists in Apache Superset versions up to and including 2.1.0.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-41934 ‼
📖 Read
via "National Vulnerability Database".
Jenkins Pipeline Maven Integration Plugin 1330.v18e473854496 and earlier does not properly mask (i.e., replace with asterisks) usernames of credentials specified in custom Maven settings in Pipeline build logs if "Treat username as secret" is checked.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-4588 ‼
📖 Read
via "National Vulnerability Database".
File accessibility vulnerability in Delinea Secret Server, in its v10.9.000002 and v11.4.000002 versions. Exploitation of this vulnerability could allow an authenticated user with administrative privileges to create a backup file in the application's webroot directory, changing the default backup directory to the wwwroot folder, and download it with some configuration files such as encryption.config/ and database.config stored in the wwwroot directory, exposing the database credentials in plain text.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-41940 ‼
📖 Read
via "National Vulnerability Database".
Jenkins TAP Plugin 2.3 and earlier does not escape TAP file contents, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control TAP file contents.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-41936 ‼
📖 Read
via "National Vulnerability Database".
Jenkins Google Login Plugin 1.7 and earlier uses a non-constant time comparison function when checking whether the provided and expected token are equal, potentially allowing attackers to use statistical methods to obtain a valid token.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-41943 ‼
📖 Read
via "National Vulnerability Database".
Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to clear the SQS queue.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-41150 ‼
📖 Read
via "National Vulnerability Database".
F-RevoCRM 7.3 series prior to version7.3.8 contains a cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who is using the product.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-41939 ‼
📖 Read
via "National Vulnerability Database".
Jenkins SSH2 Easy Plugin 1.4 and earlier does not verify that permissions configured to be granted are enabled, potentially allowing users formerly granted (typically optional permissions, like Overall/Manage) to access functionality they're no longer entitled to.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-41947 ‼
📖 Read
via "National Vulnerability Database".
A missing permission check in Jenkins Frugal Testing Plugin 1.1 and earlier allows attackers with Overall/Read permission to connect to Frugal Testing using attacker-specified credentials.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-41945 ‼
📖 Read
via "National Vulnerability Database".
Jenkins Assembla Auth Plugin 1.14 and earlier does not verify that the permissions it grants are enabled, resulting in users with EDIT permissions to be granted Overall/Manage and Overall/SystemRead permissions, even if those permissions are disabled and should not be granted.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-41941 ‼
📖 Read
via "National Vulnerability Database".
A missing permission check in Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of AWS credentials stored in Jenkins.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-41946 ‼
📖 Read
via "National Vulnerability Database".
A cross-site request forgery (CSRF) vulnerability in Jenkins Frugal Testing Plugin 1.1 and earlier allows attackers to connect to Frugal Testing using attacker-specified credentials, and to retrieve test IDs and names from Frugal Testing, if a valid credential corresponds to the attacker-specified username.📖 Read
via "National Vulnerability Database".
🕴 Google's Souped-up Chrome Store Review Process Foiled by Data-Stealer 🕴
📖 Read
via "Dark Reading".
Researchers have discovered that despite Google's adoption of the Manifest V3 security standard to protect against malicious plug-ins, attackers can still get bad extensions past its review process.📖 Read
via "Dark Reading".
Dark Reading
Google's Souped-up Chrome Store Review Process Foiled by Data-Stealer
Researchers have discovered that despite Google's adoption of the Manifest V3 security standard to protect against malicious plug-ins, attackers can still get bad extensions past its review process.
👍1